Have you considered putting the "loopback" at the outside router? That
way, the PIX stays simple and there is no way for one user to clobber
another. It does make screening for spoofing more difficult, so that may
take some adjustment (normally, the routers and PIX would be configured
to reject any inbound packets with their outbound address as source).
Good luck and have fun!
Vincent C Jones
>I have a NAT/PAT design problem that's driving me nuts.
>Diagram is straightforward, and looks like this ("I" means connected):
>many customer nets using 10. /8 net address space
>Let's say that there are two private address space customer nets on the
>inside. Each of them has one or two hosts, which should be visible from
>Internet. That's no problem, static NAT is used (conduit at PIX). All other
>hosts access Internet via PIX's overloaded address.
>Now, I want to make those customer nets invisible to each other (access-list
>at access router should do this just fine).
>So any host from first private net who wants to talk to publicly accessible
>host on second private net MUST USE that host's Internet wide IP (which is
>available via DNS, and is hard coded into the PIX).
>The problem goes down to this question: Can PIX receive packet with source
>addr. originating from inside and destination addr. belonging to one of
>it's conduit statements (legal internet address), and therefore return it
>back to the same interface translated in THIS way - source=PIX's overloaded
>address, dest=private address matching that legal Internet address?
>Is it possible to do something like that?
>Again, this is one design alternative, and I would appreciate comments.
Dr. Vincent C. Jones, PE Expert advice and a helping hand
Computer Network Consultant for those who want to manage and
Networking Unlimited, Inc. control their networking destiny
14 Dogwood Lane, Tenafly, NJ 07670